Module Name: src
Committed By: riastradh
Date: Mon Aug 31 20:30:34 UTC 2020
Modified Files:
src/sys/net: if_wg.c
Log Message:
wg: On INIT, do DH and decrypt timestamp before locking session.
This narrows the window when the session is unlocked. Really there
should be no such window, but we'll finish getting rid of it later.
To generate a diff of this commit:
cvs rdiff -u -r1.45 -r1.46 src/sys/net/if_wg.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/if_wg.c
diff -u src/sys/net/if_wg.c:1.45 src/sys/net/if_wg.c:1.46
--- src/sys/net/if_wg.c:1.45 Mon Aug 31 20:29:14 2020
+++ src/sys/net/if_wg.c Mon Aug 31 20:30:34 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: if_wg.c,v 1.45 2020/08/31 20:29:14 riastradh Exp $ */
+/* $NetBSD: if_wg.c,v 1.46 2020/08/31 20:30:34 riastradh Exp $ */
/*
* Copyright (C) Ryota Ozaki <ozaki.ry...@gmail.com>
@@ -41,7 +41,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.45 2020/08/31 20:29:14 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.46 2020/08/31 20:30:34 riastradh Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -1433,6 +1433,23 @@ wg_handle_msg_init(struct wg_softc *wg,
WG_TRACE("under load, but continue to sending");
}
+ /* [N] 2.2: "ss" */
+ /* Ci, k := KDF2(Ci, DH(Si^priv, Sr^pub)) */
+ wg_algo_dh_kdf(ckey, cipher_key, wg->wg_privkey, wgp->wgp_pubkey);
+
+ /* msg.timestamp := AEAD(k, TIMESTAMP(), Hi) */
+ wg_timestamp_t timestamp;
+ error = wg_algo_aead_dec(timestamp, sizeof(timestamp), cipher_key, 0,
+ wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp),
+ hash, sizeof(hash));
+ if (error != 0) {
+ WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG,
+ "wg_algo_aead_dec for timestamp failed\n");
+ goto out_wgp;
+ }
+ /* Hi := HASH(Hi || msg.timestamp) */
+ wg_algo_hash(hash, wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp));
+
wgs = wg_lock_unstable_session(wgp);
if (wgs->wgs_state == WGS_STATE_DESTROYING) {
/*
@@ -1459,23 +1476,6 @@ wg_handle_msg_init(struct wg_softc *wg,
wg_get_session(wgs, &psref_session);
mutex_exit(wgs->wgs_lock);
- /* [N] 2.2: "ss" */
- /* Ci, k := KDF2(Ci, DH(Si^priv, Sr^pub)) */
- wg_algo_dh_kdf(ckey, cipher_key, wg->wg_privkey, wgp->wgp_pubkey);
-
- /* msg.timestamp := AEAD(k, TIMESTAMP(), Hi) */
- wg_timestamp_t timestamp;
- error = wg_algo_aead_dec(timestamp, sizeof(timestamp), cipher_key, 0,
- wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp),
- hash, sizeof(hash));
- if (error != 0) {
- WG_LOG_RATECHECK(&wgp->wgp_ppsratecheck, LOG_DEBUG,
- "wg_algo_aead_dec for timestamp failed\n");
- goto out;
- }
- /* Hi := HASH(Hi || msg.timestamp) */
- wg_algo_hash(hash, wgmi->wgmi_timestamp, sizeof(wgmi->wgmi_timestamp));
-
/*
* [W] 5.1 "The responder keeps track of the greatest timestamp
* received per peer and discards packets containing
